chore(release): prepare 0.1.0-alpha.2

* Bump parent + sealed-env-core + sealed-env-spring-boot-starter
  versions from 0.1.0-alpha.1 to 0.1.0-alpha.2.
* CHANGELOG.md: full release notes for 0.1.0-alpha.2 covering CLI fixes
  (--out and --file), playground demo, expanded comparison table,
  enterprise cross-stack vector, and OSS hygiene additions.
* No wire-format changes; files sealed by 0.1.0-alpha.1 decrypt cleanly
  on 0.1.0-alpha.2 and vice versa.

Author: davidalmeidac

CHANGELOG.md

@@ -12,52 +12,86 @@ files written today will remain readable forever. See [SPEC.md](./SPEC.md).
 
 ## [Unreleased]
 
-### Added
+---
 
-- **Open-source repository hygiene** to support contributors:
-  - `CONTRIBUTING.md` — local setup for both Node and Java sides, commit
-    convention, crypto change policy, spec change policy, adapter
-    contribution guide.
-  - `CODE_OF_CONDUCT.md` — adopts Contributor Covenant 2.1 verbatim by
-    canonical link.
-  - GitHub issue templates: structured bug report, feature request, and
-    a `config.yml` that disables blank issues and routes security
+## [0.1.0-alpha.2] — 2026-05-06
+
+Iteration on usability and onboarding. No wire-format changes; files
+sealed by `0.1.0-alpha.1` decrypt cleanly on `0.1.0-alpha.2` and vice
+versa.
+
+### Fixed
+
+- **CLI: `encrypt --out`** no longer auto-suffixes the user-provided
+  path with `.sealed`. Previously, `--out file.sealed.basic` produced
+  `file.sealed.basic.sealed` (double suffix). Now `--out` is respected
+  exactly as given. The default (when `--out` is omitted) is still
+  `<input>.sealed`.
+- **CLI: `unseal`** now accepts `--file <.env.sealed>` and extracts the
+  salt and KDF parameters automatically. Previously an operator had to
+  decode the salt manually from the file and pass it via `--salt <hex>`,
+  which was the documented but practically unusable path for
+  `enterprise` mode. The `--salt` flag is kept for backward
+  compatibility, and a stderr warning is emitted when neither flag is
+  used (the zero-salt sentinel only works in single-process flows).
+
+### Added — Open Source
+
+- **Hands-on demo scripts** under `/playground/` for all three modes
+  plus tampering and cross-stack interop. Self-contained bash scripts
+  that generate ephemeral keys, seal a sample `.env`, demonstrate each
+  mode end-to-end, and verify the roundtrip. Cross-platform: Git Bash
+  on Windows, native bash elsewhere.
+- **Cross-stack test vector for `enterprise` mode**
+  (`test-vectors/v1/node-enterprise.json`) plus a Java interop test
+  that builds its own unseal token from the file's salt + the master
+  key + the TOTP secret committed in the vector. Cross-stack
+  conformance suite now covers all three modes.
+- **Open-source repository hygiene**:
+  - `CONTRIBUTING.md` — local setup for both Node and Java sides,
+    commit convention, crypto change policy, spec change policy,
+    adapter contribution guide.
+  - `CODE_OF_CONDUCT.md` — adopts Contributor Covenant 2.1 verbatim
+    by canonical link.
+  - GitHub issue templates: structured bug report, feature request,
+    and `config.yml` that disables blank issues and routes security
     disclosures to the GitHub Security Advisory flow.
-  - GitHub pull request template with a security review checklist that
-    is required when crypto code is touched.
-- **GitHub Discussions** enabled for design questions and open-ended
-  conversations not suited to the issue tracker.
+  - GitHub pull request template with a security review checklist
+    required when crypto code is touched.
+- **GitHub Discussions** enabled for design questions.
 
 ### Documentation
 
-- Bilingual public landing site at
+- **Expanded comparison table** in the root README. Adds HashiCorp
+  Vault, Doppler, AWS Secrets Manager, and `dotenv` proper to the
+  comparison. Includes a "when to pick which" decision section and an
+  explicit "what `sealed-env` is not" callout to set expectations
+  against centralized vault tooling.
+- **Bilingual public landing site** at
   [davidalmeidac.github.io/sealed-env](https://davidalmeidac.github.io/sealed-env/)
-  (English + Spanish) deployed via GitHub Pages. Plain HTML/CSS, single
-  small i18n script, no runtime dependencies — coherent with the
-  project's "zero deps" ethos.
-- ASCII-art diagrams replacing the previous Mermaid diagrams across all
-  docs. Renders correctly in GitHub, any terminal, `cat`/`less`, and
-  inside `git diff` — no JavaScript renderer required, which matters
-  for a security tool whose docs should remain legible even when the
-  rendering layer is unavailable or untrusted.
-- Cross-stack architecture diagram, three-modes side-by-side comparison,
-  and a visual mode-decision flowchart added to the root README.
-- README documentation links repaired (the previous version pointed to
-  files that did not exist in `/docs/`).
-- Six numbered docs guides under `/docs/`:
-  - `01-overview.md` — what `sealed-env` is and isn't.
-  - `02-threat-model.md` — coverage matrix mapped to real 2024-2026
-    incidents.
-  - `03-quickstart-node.md`, `04-quickstart-java.md`.
-  - `05-enterprise-mode.md` — TOTP + deploy challenge walkthrough.
-  - `06-format-anatomy.md` — `.env.sealed` byte layout.
+  (English + Spanish) deployed via GitHub Pages. Plain HTML/CSS,
+  single small i18n script, no runtime dependencies.
+- **ASCII-art diagrams** replacing the previous Mermaid diagrams
+  across all docs. Renders correctly in GitHub, any terminal,
+  `cat`/`less`, and inside `git diff` — no JavaScript renderer
+  required, which matters for a security tool whose docs should
+  remain legible even when the rendering layer is unavailable or
+  untrusted.
+- **Cross-stack architecture diagram**, three-modes side-by-side
+  comparison, and a visual mode-decision flowchart added to the root
+  README.
+- **Six numbered docs guides** under `/docs/` (overview, threat
+  model, Node quickstart, Java/Spring Boot quickstart, enterprise
+  mode walkthrough, format anatomy).
+- **README documentation links repaired** — the previous version
+  pointed to files that did not exist in `/docs/`.
 
 ### Sponsorship
 
 - `FUNDING.yml` configured with GitHub Sponsors and Ko-fi.
-- Sponsorship section on the landing page with three explicit tiers and
-  honest framing about what the funds enable (security research, new
-  language adapters, maintainer time).
+- Sponsorship section on the landing page with three explicit tiers
+  and honest framing about what the funds enable (security research,
+  new language adapters, maintainer time).
 
 ---
 
@@ -158,5 +192,6 @@ published to their respective registries on this version.
   deep ink (`#1a1612`). Latin motto: *Cvstos Arcani* — "Guardian of
   the secret".
 
-[Unreleased]: https://github.com/davidalmeidac/sealed-env/compare/java-v0.1.0-alpha.1...HEAD
+[Unreleased]: https://github.com/davidalmeidac/sealed-env/compare/java-v0.1.0-alpha.2...HEAD
+[0.1.0-alpha.2]: https://github.com/davidalmeidac/sealed-env/compare/java-v0.1.0-alpha.1...java-v0.1.0-alpha.2
 [0.1.0-alpha.1]: https://github.com/davidalmeidac/sealed-env/releases/tag/java-v0.1.0-alpha.1

java/pom.xml

@@ -7,7 +7,7 @@
 
   <groupId>io.github.davidalmeidac</groupId>
   <artifactId>sealed-env-parent</artifactId>
-  <version>0.1.0-alpha.1</version>
+  <version>0.1.0-alpha.2</version>
   <packaging>pom</packaging>
 
   <name>sealed-env (parent)</name>

java/sealed-env-core/pom.xml

@@ -8,7 +8,7 @@
   <parent>
     <groupId>io.github.davidalmeidac</groupId>
     <artifactId>sealed-env-parent</artifactId>
-    <version>0.1.0-alpha.1</version>
+    <version>0.1.0-alpha.2</version>
   </parent>
 
   <artifactId>sealed-env-core</artifactId>

java/sealed-env-spring-boot-starter/pom.xml

@@ -8,7 +8,7 @@
   <parent>
     <groupId>io.github.davidalmeidac</groupId>
     <artifactId>sealed-env-parent</artifactId>
-    <version>0.1.0-alpha.1</version>
+    <version>0.1.0-alpha.2</version>
   </parent>
 
   <artifactId>sealed-env-spring-boot-starter</artifactId>